Reputation: 7710
Securing secret keys in Android
I have a web service that does some payment operation, so it's very critical. Of course it has a secret key that can't be called without.
I'll assume that sooner or later my .apk file will be decompiled and the code will be readable. Now, if I decided to receive that key by calling another service, the url of that service will be stored in my code, but I've just said that it's not secure and can't be hidden!!
What is the best approach in such situation?
Upvotes: 0
Views: 189
Answers (1)
Reputation: 617
I'm not a security expert, but I guess oAuth would be a good choice. Sites like Google use it for authenticating, and it's secure. The user needs to sign in using his credentials, and the application receives an oAuth token and secret to make API calls.
In that case, decompiling the application won't help the hacker, since he'll still need the credentials of users.
It requires changes on both the server and the client side, but I don't think that's a problem, since security is more important in this case.
Upvotes: 1
Related Questions
- Securing API key in Android
- How to secure secret keys in Android App?
- How to secure web services coming from only android app to server without login
- How secure Web services in android Studio?
- Securing communication from android to a web service
- Secure web service requests
- Android: Securing Your Private Key
- Authentication of webservices
- Connecting to a webservice from an Android app securely
- Secure requests to a Webservice via Android